Message ID | 20230515131522.539380-1-schitrod@cisco.com |
---|---|
State | New |
Headers | show |
Series | [meta-selinux] selinux: Set CVE_PRODUCT | expand |
Hi all, Any update/comment ? Thanks, Sanjay -----Original Message----- From: Sanjay Chitroda <schitrod@cisco.com> Sent: Monday, May 15, 2023 6:45 PM To: yocto@lists.yoctoproject.org Cc: Sanjaykumar kantibhai Chitroda -X (schitrod - E-INFO CHIPS INC at Cisco) <schitrod@cisco.com> Subject: [meta-selinux][PATCH] selinux: Set CVE_PRODUCT The CVE product name for selinux-* package is (usually) the selinux (and not our recipe name), so use selinux as the default. See also: http://lists.openembedded.org/pipermail/openembedded-core/2017-July/139897.html "Results from cve-check are not very good at the moment. One of the reasons for this is that component names used in CVE database differ from yocto recipe names. This series fixes several of those name mapping problems by setting the CVE_PRODUCT correctly in the recipes. To check this mapping with after a build, I'm exporting LICENSE and CVE_PRODUCT variables to buildhistory for recipes and packages." Value added is based on: https://nvd.nist.gov/vuln/search/results?results_type=overview&search_type=all&cpe_product=cpe%3A%2F%3Akernel%3Aselinux Signed-off-by: Sanjay Chitroda <schitrod@cisco.com> --- recipes-security/selinux/selinux_common.inc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/recipes-security/selinux/selinux_common.inc b/recipes-security/selinux/selinux_common.inc index 383f62d..cd51a86 100644 --- a/recipes-security/selinux/selinux_common.inc +++ b/recipes-security/selinux/selinux_common.inc @@ -15,3 +15,5 @@ do_install() { SHLIBDIR="${base_libdir}" \ SYSTEMDDIR="${systemd_unitdir}" } + +CVE_PRODUCT ?= "kernel:selinux" -- 2.35.6
diff --git a/recipes-security/selinux/selinux_common.inc b/recipes-security/selinux/selinux_common.inc index 383f62d..cd51a86 100644 --- a/recipes-security/selinux/selinux_common.inc +++ b/recipes-security/selinux/selinux_common.inc @@ -15,3 +15,5 @@ do_install() { SHLIBDIR="${base_libdir}" \ SYSTEMDDIR="${systemd_unitdir}" } + +CVE_PRODUCT ?= "kernel:selinux"
The CVE product name for selinux-* package is (usually) the selinux (and not our recipe name), so use selinux as the default. See also: http://lists.openembedded.org/pipermail/openembedded-core/2017-July/139897.html "Results from cve-check are not very good at the moment. One of the reasons for this is that component names used in CVE database differ from yocto recipe names. This series fixes several of those name mapping problems by setting the CVE_PRODUCT correctly in the recipes. To check this mapping with after a build, I'm exporting LICENSE and CVE_PRODUCT variables to buildhistory for recipes and packages." Value added is based on: https://nvd.nist.gov/vuln/search/results?results_type=overview&search_type=all&cpe_product=cpe%3A%2F%3Akernel%3Aselinux Signed-off-by: Sanjay Chitroda <schitrod@cisco.com> --- recipes-security/selinux/selinux_common.inc | 2 ++ 1 file changed, 2 insertions(+)